Google is adding visited link partitioning to Chrome, making it the first web browser to be fully protected from security vulnerabilities around visited links. The change should roll out to other Chromium-based browsers as well, such as Vivaldi and Microsoft Edge.
You’ve probably seen some links in web pages change to a purple color, or some other visual indicator, after you have visited the linked page. Like many other features implemented by web browsers over the years (RIP Battery Status API), it accidentally turned into a great way to track people across the web as they visit different web pages.
How The Security Vulnerability Works
Web browsers allow sites to customize the appearance of text and other elements using CSS selectors. For example, a website could add styles to ‘.dropdown input’ to change all input elements in a dropdown element, instead of using IDs or classes for each individual element. The ‘:visited’ selector allows web pages to apply styles to links to pages you have visited, which is helpful for changing the default purple color or applying other effects.
Giving web pages the ability to detect visited links has some side effects, though. A malicious page could include hundreds or thousands of links, and by checking which ones matched the :visible selector, it could create a partial record of your browsing history across different sites.
Modern web browsers already have several mitigations to prevent this behavior, such as providing empty data when web pages request a list of :visible elements, and limiting the styles that can be applied to :visible elements. These changes haven’t fully stopped security vulnerabilities, though. Google said, “as the customizability of visited links has increased over time, so too has the growing number of attacks discovered by security researchers.”
How Chrome Fixed It
Google’s solution is a sandboxing system for :visited links, which isolates the link history for every individual website, instead of storing them all in the same list that any site can potentially access. This is already how local storage and many other browser APIs work.
The company said in a blog post, “You are browsing on Site A and click a link to go to Site B, the combination of “Site A + Site B” is stored in your :visited history. This way, when you visit Site Evil, its link to Site B won’t be shown as :visited because it doesn’t match both parts of our “Site A + Site B” entry (the context where you originally clicked on the link). Since there’s no browsing history displayed on Site Evil, it can’t take advantage of any exploits. Therefore, your browser history is safe!”
This isolation system should fully block any potential security vulnerabilities around :visited links. Google also discussed removing the previous mitigations, since they’re not needed anymore, but that’s “future work” that might not happen for a while.
Coming in Chrome 136
Google says visited link partitioning will be available in Chrome 136, which is scheduled to get a partial rollout on April 23, 2025, and a full release on April 29, 2025. Presumably, other web browsers based on the same Chromium source code (such as Vivaldi, Edge, Opera, etc.) will receive the feature when they update to Chromium 136 or newer.
Mozilla is supportive of visited link partitioning, but it’s not clear when Firefox might implement the same feature—it was first proposed eight years ago. Apple’s WebKit team also likes the idea, but again, there’s no confirmation of when it could show up in Safari.
Source: Chrome for Developers
